A memory corruption vulnerability in Delta Electronics' CNCSoft-G2 HMI software can give attackers full code execution on engineering workstations when victims open booby-trapped project files, the vendor and cybersecurity authorities warned this week. The flaw, tracked as CVE-2025-47728, resides in the DPAX project file parser and has been patched in an emergency update that industrial organizations need to deploy immediately.
Delta issued the fix in coordination with the Zero Day Initiative (ZDI) and the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which published advisory ICSA-25-240-04 on August 28, 2025. The vulnerability scores 8.5 out of 10 on the CVSS v4 scale and 7.8 on the v3.1 scale, underscoring the high risk to manufacturing and energy sectors where CNCSoft-G2 is widely deployed.
The bug allows an attacker to craft a malicious DPAX file—a project format used by the software—that, when opened, triggers an out-of-bounds write in memory. This corruption can be leveraged to hijack the execution flow and run attacker-chosen code with the privileges of the current user. Since engineering workstations often have broad access to operational technology (OT) networks and controllers, a compromise can lead to lateral movement, manipulation of industrial processes, or theft of sensitive intellectual property.
Vulnerability Details: DPAX Parser Flaw Yields Reliable Exploit
CVE-2025-47728 stems from improper input validation in the code that handles DPAX project files. According to both ZDI's technical write-up and CISA's advisory, the parser fails to enforce correct boundary checks when processing specific data fields. This results in a classic out-of-bounds write (CWE-787), where attacker-controlled data is written past the end of an allocated buffer.
Exploitation requires user interaction—a target must open a specially crafted DPAX file. However, attack complexity is rated low because the memory corruption is deterministic and can be triggered reliably. An attacker needs no prior authentication or elevated privileges; simply convincing a user to double-click a file, perhaps through a phishing email or a compromised USB stick, is sufficient.
The exploitation chain, as described by researchers, follows a familiar pattern. The crafted file corrupts heap metadata or object pointers, allowing the attacker to redirect execution to shellcode or to chain with other techniques for arbitrary code execution. Since CNCSoft-G2 runs with the user's access rights, the attacker inherits those permissions—often high enough to interact with controllers, modify project data, or exfiltrate sensitive recipes and machine parameters.
CISA's advisory confirms that no known public exploitation has been reported as of the advisory date. But similar file-parsing bugs in industrial software have been weaponized in the past, and the low complexity of this vulnerability makes it an attractive target for threat actors targeting critical infrastructure.
Affected Versions and Patch Guidance
Delta Electronics confirmed that CNCSoft-G2 version 2.1.0.20 and all prior releases are vulnerable. The vendor has released version 2.1.0.27, which contains the fix. The patch is documented in Delta's product security advisory Delta-PCSA-2025-00007, available in both English and Chinese on the company's security website.
Operators must verify they are not running any earlier builds. Importantly, Delta has issued multiple advisories over the past year addressing separate but related parsing bugs in CNCSoft-G2. Administrators should not assume that a previously applied update covers CVE-2025-47728; they must specifically check for the DPAX-related fix. CISA and ZDI both stress that applying the latest available build (v2.1.0.27 or later) is the definitive mitigation.
For organizations that cannot patch immediately, CISA recommends a set of compensating controls. These include blocking DPAX files from untrusted sources, scanning project files with updated antimalware tools before opening, enforcing least privilege for engineering software users, and isolating engineering workstations from the internet and from other network segments. Delta also advises against opening unsolicited email attachments or clicking on untrusted links.
Operational Impact: Why This Matters for Industrial Environments
Engineering workstations running CNCSoft-G2 occupy a privileged position in many OT architectures. They are used to design, test, and deploy control logic to programmable logic controllers (PLCs) and HMIs on the factory floor. A successful exploit against such a host can have cascading consequences.
An attacker who gains code execution can tamper with project files, altering machine tool paths, process sequences, or safety configurations. These modified files could then be deployed to field devices, causing physical damage, production outages, or safety hazards. Because engineering hosts often maintain persistent connections to controllers, they also serve as pivot points for lateral movement deeper into the OT network.
Beyond operational disruption, intellectual property theft is a serious concern. DPAX files contain proprietary machine parameters, automation recipes, and custom control algorithms that represent significant R&D investment. Exfiltration of such data could benefit competitors or nation-state actors.
The high impact scores assigned to CVE-2025-47728—complete compromise of confidentiality, integrity, and availability—reflect these realities. While the attack vector is local, the potential business and safety repercussions are severe enough to warrant urgent attention from both IT and OT security teams.
Disclosure Timeline and Vendor Coordination
The vulnerability was discovered by researcher Natnael Samson, working with Trend Micro's Zero Day Initiative. ZDI reported the flaw to Delta, which then developed and tested a fix. The coordinated disclosure resulted in simultaneous publication of the ZDI advisory (ZDI-25-411) and the CISA ICS advisory on August 28, 2025.
This multi-party collaboration allowed defenders to receive clear, actionable guidance at the same time the flaw became public. It is a model for how industrial control system security research should be handled, but its effectiveness ultimately depends on how quickly asset owners act on the information.
The advisory is part of a broader cluster of disclosures affecting CNCSoft-G2. Over the past year, multiple parsing vulnerabilities have been identified and patched, covering stack overflows, heap corruptions, and uninitialized variable issues. Organizations must manage this patch fragmentation carefully to avoid missing a specific fix.
Practical Steps for Industrial IT and OT Teams
CISA and Delta provide a clear remediation path. Here is a distilled checklist for security and plant engineers:
- Inventory every CNCSoft-G2 installation: Check engineering workstations, jump hosts, test benches, and offline virtual machines. Do not forget backup images that might be restored into production.
- Confirm the exact version: Look for CNCSoft-G2 version 2.1.0.20 or earlier. Verify against the vendor advisory, not just a generic "latest" label.
- Apply the patch: Download and install version 2.1.0.27 from Delta's official portal. Test in a staging environment first if possible.
- Quarantine incoming DPAX files: Instruct users not to open project files received from external sources. Use sandboxing and scanning where feasible.
- Harden workstations: Enforce least-privilege execution, application allow-listing, and network segmentation. Limit direct internet access and file-sharing capabilities.
- Review incident response plans: Update playbooks to include detection of file-parsing exploits (application crashes, suspicious outbound connections) and establish contacts with CISA or national CSIRTs.
Delta also emphasizes general security practices: never expose control systems to the internet, place devices behind firewalls, and use VPNs for any remote access. These measures reduce the attack surface, but patching remains the primary defense against this specific vulnerability.
Critical Analysis: The Good and the Watch-Outs
The coordinated response shows notable strengths. The vendor and research community aligned their disclosures, minimizing the window between public awareness and patch availability. CISA's advisory is detailed, includes CVSS scoring for both v3.1 and v4, and offers both short-term workarounds and long-term fixes.
However, the patch fragmentation risk is real. With multiple CVEs in the same product family, each with slightly different affected version ranges, organizations may inadvertently skip an update. Administrators must cross-reference the specific CVE against the vendor's security page, not just assume that the latest download covers every known issue.
The local attack vector requirement may lull some defenders into complacency. But in ICS environments, project files are routinely exchanged via email, USB drives, and shared network folders. Social engineering can trick users into opening malicious files with minimal effort. Relying solely on user caution is dangerous; technical controls must be layered on.
Another concern involves OT patch management practices. Many industrial facilities run on frozen images and hesitate to apply updates for fear of breaking validated systems. The tension between security and operational stability is real, but the severity of this bug tips the balance toward urgent action. CISA's recommendation to patch immediately, combined with the availability of compensating controls for systems that cannot be patched, provides a responsible middle ground.
Broader Lessons for ICS Security
CVE-2025-47728 reinforces three persistent truths about industrial cybersecurity.
First, engineering software is a high-value target. Vendors and users must treat project file formats as first-class attack surfaces and subject them to the same scrutiny as network protocols or web interfaces. Fuzzing and code audits should be standard practice.
Second, coordinated disclosure remains the gold standard. The ZDI–Delta–CISA collaboration illustrates how responsible disclosure can protect users when all parties work in good faith. However, defenders must convert advisories into action promptly; awareness without patching accomplishes nothing.
Third, defense-in-depth is non-negotiable. Even after patching, organizations should maintain strict network segmentation, enforce least privilege, and monitor engineering workstations for anomalous behavior. A single point of failure—such as an unpatched, internet-connected engineering laptop—can undo layers of perimeter security.
Conclusion
CVE-2025-47728 is a textbook example of a dangerous but fixable flaw in industrial software. Delta's CNCSoft-G2 update to version 2.1.0.27 closes a memory corruption vulnerability that, if left unpatched, could allow attackers to execute arbitrary code on critical engineering systems. CISA and ZDI have provided all the information defenders need to act, from technical details to mitigation checklists.
For organizations in critical manufacturing and energy, the message is unequivocal: patch now, harden your engineering workstations, and treat every project file as a potential threat. The cost of inaction could be measured not just in data loss but in physical harm and production paralysis.